[Swan] Is it possible to apply a (private) policy to host-to-host vpn-cfg ?

Daniel Thielemann luie at mailbox.org
Fri Apr 17 02:08:50 UTC 2020


Hi,

I would like to use different host-to-host vpns to "authenticate" the 
hosts before they can communicate with each other and solved this with 
RSASIG-Keys yet - works fine.

To secure it up completely I would like to ask if there is any way I 
could apply a "private or drop/hold packet" policy to my vpn configs so 
that packets are encrypted in ANY case before they leave the box? I used 
the parameters already but the shunting/whack (don't know whats the 
right name for it) policies didn't came up. I think because it just 
works with "conn private" and %opportunisticgroup right? Is there any 
other way to achieve this so that I can stick with my rsasigkeys?

Because I've different levels of security (roles) it would be great to 
find a way, because then I really know which host can talk to whom.

Boxes running @ centOS 8 with libreswan 3.29-6.el8.

Config:

conn tun_ap01
leftid=@db01.mydom.lan
     left=192.168.3.1
     leftrsasigkey=<snip>
rightid=@ap01.mydom.lan
     right=192.168.2.1
     rightrsasigkey=<snip>
     authby=rsasig
     # use auto=start when done testing the tunnel
     auto=start
     encapsulation=yes
     ikev2=insist
     phase2=esp
     narrowing=yes
     negotiationshunt=hold
     failureshunt=drop
     keyingtries=%forever
     retransmit-timeout=3s


Thanks in advance

Kind regards,

Daniel



More information about the Swan mailing list